Storage networks generally include server devices that store data, such as web applications, web pages, or other content. Often, the server devices are protected from malicious attacks by traffic management computing devices, which often perform other functions including load balancing and application acceleration, for example. One such set of attacks are denial of service (DoS) or distributed denial of service (DDoS) attacks, although many other types of malicious attacks exist. The malicious attacks can be identified based on anomalous network traffic received by the traffic management computing devices, for example.
However, current methods of identifying malicious attacks are not robust, and false positives often occur resulting in the implementation of a mitigation technique on benign traffic. For example, current traffic management computing devices often mistake an increase in network traffic volume as an attack when the associated network traffic may not be malicious and the increased network traffic may be desirable. In another example, current traffic management computing devices often determine that a network traffic pattern is malicious even though the corresponding server devices are not experiencing a health problem and can service all of the current network traffic. Since the server devices are not experiencing any issues in this example, the identification of the network traffic pattern as malicious is likely a false positive. Current traffic management computing devices are ineffective at distinguishing network attacks from false positives.